[StepSecurity] Apply security best practices #226
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
pull_request: | |
branches: | |
- "**" | |
workflow_call: # Needed to make this a reusable workflow for releasing artifacts https://docs.github.com/en/actions/using-workflows/reusing-workflows | |
jobs: | |
CI: | |
strategy: | |
matrix: | |
architecture: [X64, ARM64] | |
distribution: [Ubuntu, AL2] | |
runs-on: | |
- self-hosted | |
- Linux | |
- ${{matrix.architecture}} | |
- ${{matrix.distribution}} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 | |
with: | |
egress-policy: audit | |
- name: Checkout repository | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: Install Rust toolchain | |
uses: dtolnay/rust-toolchain@2080da66123fcc7ec821c7597e9bc40af40d8af6 # 1.73.0 | |
with: | |
components: rustfmt, clippy | |
- uses: Swatinem/rust-cache@81d053bdb0871dcd3f10763c8cc60d0adc41762b # v1 | |
- name: Install gcc on Ubuntu | |
if: ${{ matrix.distribution == 'Ubuntu' }} | |
run: sudo apt install -y build-essential | |
- name: Install gcc on AL2 | |
if: ${{ matrix.distribution == 'AL2' }} | |
run: sudo yum install -y "@Development Tools" | |
- name: Install NodeJs | |
run: | | |
curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.3/install.sh | bash \ | |
&& source ~/.nvm/nvm.sh && nvm install v16.16.0 | |
- name: Install musl on Ubuntu | |
if: ${{ matrix.distribution == 'Ubuntu' }} | |
run: sudo apt-get install -y musl-tools | |
- name: Build & install musl on AL2 | |
if: ${{ matrix.distribution == 'AL2' }} | |
run: | | |
wget https://git.musl-libc.org/cgit/musl/snapshot/musl-1.2.3.tar.gz \ | |
&& tar xvf musl-1.2.3.tar.gz && cd musl-1.2.3 \ | |
&& ./configure && sudo make install && cd .. && sudo rm -rf musl-1.2.3 | |
- name: Symlink musl-gcc on ARM64 & Ubuntu | |
if: ${{ matrix.architecture == 'ARM64' && matrix.distribution == 'Ubuntu' }} | |
run: sudo ln -snf /usr/bin/musl-gcc /usr/bin/aarch64-linux-musl-gcc | |
- name: Symlink musl-gcc on AL2 & ARM64 | |
if: ${{ matrix.architecture == 'ARM64' && matrix.distribution == 'AL2' }} | |
run: sudo ln -snf /usr/local/musl/bin/musl-gcc /usr/bin/aarch64-linux-musl-gcc | |
- name: Symlink musl-gcc on AL2 & X64 | |
if: ${{ matrix.architecture == 'X64' && matrix.distribution == 'AL2' }} | |
run: sudo ln -snf /usr/local/musl/bin/musl-gcc /usr/bin/musl-gcc | |
- name: Build for X64 | |
if: ${{ matrix.architecture == 'X64' }} | |
run: | | |
rustup target add x86_64-unknown-linux-musl \ | |
&& source ~/.nvm/nvm.sh \ | |
&& cargo build --release --target x86_64-unknown-linux-musl | |
- name: Build for ARM64 | |
if: ${{ matrix.architecture == 'ARM64' }} | |
run: | | |
rustup target add aarch64-unknown-linux-musl \ | |
&& source ~/.nvm/nvm.sh \ | |
&& cargo build --release --target aarch64-unknown-linux-musl | |
- name: Set perf_event_paranoid to 0 | |
run: echo 0 | sudo tee /proc/sys/kernel/perf_event_paranoid | |
- name: Run tests | |
run: source ~/.nvm/nvm.sh && cargo test --verbose -- --nocapture --color always | |
- name: Run clippy | |
run: source ~/.nvm/nvm.sh && cargo clippy --all-targets --all-features | |
- name: Run rustfmt | |
run: source ~/.nvm/nvm.sh && cargo fmt --all -- --check |